Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27575
HistoryJan 21, 2012 - 12:00 a.m.

appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability

2012-01-2100:00:00
vulners.com
35

appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability

author…: Egidio Romano aka EgiX
mail…: n0b0d13s[at]gmail[dot]com
software link…: http://www.apprain.com/

[-] vulnerable code in /webroot/addons/uploadify/uploadify.php

  1. if (!empty($_FILES)) {
  2.        $tempFile = $_FILES[&#39;Filedata&#39;][&#39;tmp_name&#39;];
    
  3.        //$targetPath = $_SERVER[&#39;DOCUMENT_ROOT&#39;] . $_REQUEST[&#39;folder&#39;] . &#39;/&#39;;
    
  4.        $targetFile =  &quot;uploads/&quot; . $_FILES[&#39;Filedata&#39;][&#39;name&#39;];
    
  5.        // $fileTypes  = str_replace&#40;&#39;*.&#39;,&#39;&#39;,$_REQUEST[&#39;fileext&#39;]&#41;;
    
  6.        // $fileTypes  = str_replace&#40;&#39;;&#39;,&#39;|&#39;,$fileTypes&#41;;
    
  7.        // $typesArray = split&#40;&#39;&#92;|&#39;,$fileTypes&#41;;
    
  8.        // $fileParts  = pathinfo&#40;$_FILES[&#39;Filedata&#39;][&#39;name&#39;]&#41;;
    
  9.        // if &#40;in_array&#40;$fileParts[&#39;extension&#39;],$typesArray&#41;&#41; {
    
  10.                // Uncomment the following line if you want to make the directory if it doesn&#39;t exist
    
  11.                // mkdir&#40;str_replace&#40;&#39;//&#39;,&#39;/&#39;,$targetPath&#41;, 0755, true&#41;;
    
  12.                move_uploaded_file&#40;$tempFile,$targetFile&#41;;
    
  13.                echo str_replace&#40;$_SERVER[&#39;DOCUMENT_ROOT&#39;],&#39;&#39;,$targetFile&#41;;
    
  14.        // } else {
    
  15.        //      echo &#39;Invalid file type.&#39;;
    
  16.        // }
    
  17. }

Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.

[-] Possible bug fix:

include_once('…/…/…/app.php');
App::__Obj('appRain_Base_Core')->check_admin_login();

add this lines of code at the beginning of the script

[-] Disclosure timeline:

[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure

[-] Proof of concept:

http://www.exploit-db.com/exploits/18392/